Ruby DNS Testing - First Glance

DNS is one of those ‘small config change here, errors a long way over there
later’ technologies that always leaves me a little worried about the
knock on effect of my changes. As a simple, coarse, safeguard at work we
use Nagios to check that a canary record in each zone can be resolved
from each DNS server. It’s far from a perfect solution but it does catch
some of the bigger errors and typos.

In order to beef up this safety net (and encourage me
to spend time using a language other than Perl) I’ve been
investigating some of the testing options available in ruby, namely
RSpec and Cucumber. I have to say the testing libraries themselves are
actually nice to use and easy to pick up even for a
non-rubyists like me. On the other hand I quickly developed a strong
dislike of the ruby resolv library that actually does the
DNS queries. The lack of decent tutorials or documentation for
anything beyond the very basic uses and the (to me) very awkward API
nearly had me running back to the safety of
Net::DNS
, a mature and widely used perl module. There is a ruby port that I’ll
have a look at in the future

For the testing itself I started writing RSpec stories against my own DNS
and found the API easy to use. Testing existing configs against local
policies is simple - for example all our domains should list at least
three name servers -

After doing some more scut work and testing other record types I moved
onwards and upwards to Cucumber. I’m not
sure I’d be able to gift someone else with writing the scenarios but
they’ll be easier to show business people than raw rspec stories.
They’ll also be very handy in migration meetings (an executable todo
list), if it’s not on the page it’s not getting done.

Feature: Mass DNS Resolution In order to present a consistent brand image As a System Administrator I want to ensure no domains point away from our main IPScenario Outline: Resolve a name to a number Given a hostname of <hostname>Then I should see the IP address 266.266.266.266Examples: | hostname | | example.org | | www.example.org |

Next time I work somewhere with
ISO 27xxx
compliance requirements I’ll see if the controls can be
written like this and have automatic verification run from them.
Cucumber is a little wordy for my tastes but I can see where that could
be a strength when presenting to the right audience (such as compliance
auditors).

Next time we have a set of DNS migrations I’ll be using at least
one of these tools to write before and after test cases to ensure
nothing gets missed or slips through the cracks. Once I’ve been through
a couple I’ll write up in more detail what we end up with.